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Abstract 

This paper discusses Boolean algebra applications in fault tree analysis. Fault tree 
analysis has been extensively used in nuclear power plant safety analysis, such as 
analysis of system hazard, determination of critical characteristics in commercial grade 
dedication, and estimation of industrial system reliability. In general, the logic relations 
presented in fault tree models can be equivalently represented in Boolean algebra 
formulas. The Boolean algebra representation has several advantages over the original 
fault tree representation. The most significant one is that the Boolean representation can 
easily be simplified to get a so-called minimum cut representation. From there, fault tree 
analysis can be applied to several applications mentioned above. In this paper, we use 
some simple examples to demonstrate how to use Boolean algebra as a tool to simplify the 
fault tree model to get an expression of minimum cut. We then point out possible 
applications of this technique, such as common mode failure using identical digital 
system/components and remedy by diversity design, hazard analysis, and critical 
characteristics determination. 
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1. Introduction 

Fault tree analysis is an important branch in reliability and risk analysis theory. It has 
been investigated extensively in literatures (see for example and references therein) (Scott 
and Smalley 2003, Lee et al 1985 and Aven 1992). Fault tree analysis has many 
applications in nuclear industry (Ruijters and Stoelinga 2015 and Peplow et al 2004) and 
it is believed to be the most efficient way of handling the large logical models that are 
necessary for a nuclear power plant [Clause 4.154, McCormick 1981]. 

Because of the large logical models that are necessary to describe a nuclear power 
plant, there is a clear need to simplify the large logical models to get a logical expression 
which is easy to understand. In reference (IAEA 2001), a Boolean algebra method is 
proposed to achieve this goal. However, the main purpose of reference (IAEA 2001) is to 
derive a systematic method to estimate the reliability for digital instrumentation and 
control systems, which involves the estimation of both hardware reliability (Yang and 
Sydnor 2012) and software reliability (Bickel 2008). 

In this paper, we will focus the details on how to simplify the large logical models 
using Boolean algebra method. We will demonstrate the efficiency of the this method in 
many applications, such as single failure event identification. Common Cause Failure 
(CCF) impact on system safety, hazard analysis, failure rate estimation, etc. 

The remainder of the paper is organized as follows: Section 2 gives the detailed 
description of Boolean algebra method in fault tree model simplification. Section 3 
provides various possible applications of the proposed logical simplification method. 
Conclusions are summarized in Section 4. 

2. Fault Tree Model Simplification 
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First, we briefly review the basics about Boolean algebra. 

2.1. Boolean Algebra 

Boolean algebra was named after George Boole who invented the algebra in his book 
(Yang 2009). The main operations of Boolean algebra are the conjunction and denoted as 
A, the disjunction or denoted as V, and the negation not denoted as A Boolean variable 
x can take only two values: 1 (or true) and 0 (or false). The values of xAy, xVy, and — ijc can 
be expressed by tabulating their values with truth tables as follows. 

Table I. Truth Table 
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Using Venn diagram, we can express the above operations as in Fig. 1 . 



xAy xVy -, x 

Figure 1. Venn for Boolean algebra operations 

Boolean algebra satisfies many of the same laws as ordinary algebra when one matches 
up V with addition and A with multiplication. In particular the following laws are common 


to both kinds of algebra: 

(Associativity of V) xV(yVz) = (xVy)Vz (1) 

(Associativity of A) xA(yAz) = (xAy)Az (2) 

(Commutativity of V) xVy = yVx (3) 

(Commutativity of A) xAy = yAx (4) 

(Distributivity of A over V) xA(yVz) = (xAy)V(xAz) (5) 

(Identity for V) xVO = x (6) 

(Identity for A) xAl = x (7) 

(Annihilator for A) xAO = 0 (8) 

(Annihilator for V) xV 1 = 1 (9) 

(Idempotence of V) xVx = x (10) 

(Idempotence of A ) xAx = x (11) 

(Absorption 1) xA(xVy) = x (12) 

(Absorption 2) xV(xAy) = x (13) 

However, distributivity of V over A is different from the ordinary algebra and is 
given as follows: 

(Distributivity of V over A) xV(yAz) = (xVy)A(xVz) (14) 

Besides, there are one double negation and two complement operation laws: 

(Double negation) -i-ix = x (15) 
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(Complementation 1) 

xV(yAz) = (xVy)A(xVz) 

(16) 

(Complementation 2) 

xV(yAz) = (xVy)A(xVz) 

(17) 

Finally, there are two De Morgan’s laws: 



(De Morgan 1) 

(-. x)A(->y) = -■ (xVy) 

(18) 

(De Morgan 2) 

(-. x)V(-iy) = -■ (xAy) 

(19) 


2.2. Fault Tree Model Simplification Using Boolean Algebra 

It will be easy to illustrate the method by using a simple example. Let consider an 
artificial digital I&C system as discussed in reference (IAEA 2001) as given in Fig. 2, 
which has three identical redundant smart sensors which have both hardware and software. 



Figure 2. An artificial DI&C system 

The measurements from the three sensors are sent to an A/D converter, the signal is 
processed in a single -board computer, and the control command is then sent to a D/A 
converter and then to an actuator. All components have two different failures, i.e., aging- 
related hardware failures and physical-damage related failures, except for the single-board 
computer and the smart sensors, which have two failure modes, i.e., aging related 
hardware failure and software failure. We also assume that the A/D always receives 
signals (correct or incorrect) from the three sensors while the signals are useful only if 
two of the sensors provide correct measurement. 

The fault tree corresponding the digital I&C system can then be created as shown in 
Fig. 3, where, A, C, E, G, K, and M are aging-related failures; H, F, and N are physical- 
damage -related failures, I denotes computer hardware failures, and B, D, and F are 
software failures due to common-cause failure events X in smart sensors. J denotes 
software failures in the computer. 

The failure tree model in Fig. 3 can be written in Boolean algebraic expressions as 


follows: 

S-M vN vDA (20) 

DA = K vLv P (2D 

P = I v J v AD (22) 

AD = //vGv(S1aS2)v (52 a S3) v (SI a S3) v (SI aS2a S3) (23) 

51 = Avfi = AvI (24) 

52 = Cv D = Cv X (25) 

53 = E v F = E v X (26) 


Although Boolean algebra equations (20-26) provides a complete description of failure 
logic, this description is not the most convenient form in risk analysis. Using Boolean 
algebra formulas (1-17), we can reduce the Boolean algebra equations (20-26) into 
equivalent minimal cut set description which define all the “failure modes” of the Dl&C 
failure events. First, from (24) and (25), we have: 
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51 a 52 

= (AvI)a(CvI) 

= [(AvI)a C)]v [(AvI)aX)] 
= [(A V X) A C)]v [X A (X V A)] 
= [(A v X) a C)]v X 
= X v[(AvX)aC)] 

= [X v(AvX)]a[X vC] 

= [X v A]a[X vC] 

= X v (A a C ) 
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Figure 3. Fault tree of the DI&C system 

Similarly, we can obtain 
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51a53 = X v(Aa£) 

52a53=X v(CaE) 

(51 a 52 a 53) = X v (A a C a E ) 

This gives 

(51 a 52) v (51 a 53) v (52 a 53) v (51 a 52 a 53) 

= [Xv(AaC)]v[Xv(Aa£)]v[Xv(Ca£)]v[Xv(AaCa£)] 

= X v(AaC)v(AaE)v(C aE)v(AaC aE) 

Using (20)-(26) and (31), we obtain the complete failure logic given as follows: 

S = M v N v DA = N v M v Lv K v P 
= NvMvLvKvJvIv AD 
= N v M v Lv K v J v I v G v H v (SI a S2) 
v (52 a 53) v (51 a 53) v (51 a 52 a 53) 

= NvMvLvKvJvIvGvHvX 
v (A a C) v (C a E) v (A a E) v (A a C a E ) 

This simplification process looks tedious, but there are many software packages which 
can be used to handle the operations (Aven 1992). 

3. Applications 

The Boolean expression (32) is logically much clear and easier to be used in risk 
analysis relation applications than the fault tree expression in Fig. 3. From (32), we can 
see all possible failure modes are (1) single failure events, including N, M, L, K, J, I, G, H, 
and X, (2) double failure events, including (AaC), (A a E) , and (C a E), and (3) 

triple failure event (AaCa£). This logical failure modes were used in probabilistic 
risk analysis (PRA) in [7], We will discuss several other applications in this section. For 
the sake of simplicity in our discussion/analysis, we assume in the rest of section that all 
failures, A, B, C, D, E, F, X, G, H, I, J, K, L, M, and N, have the same failure probability 
10 4 per year and the probabilities are independent and identically distributed. 

3.1. Single Failure Event 

In nuclear industry, one of the very important safety system design criteria is Single 
Failure Criteria (Boole 1854). It basically says that the safety systems shall perform all 
safety functions required for a design basis event in the presence of any single detectable 
failure event. In this paper, the single failure event is defined differently. In the example 
discussed above, equation (32) indicates N, M, L, K, J, I, G, H, and X are single failure 
events in which any single event will disable the system to perform its function. We refer 
these events as to single failure events. But due to the redundancy and voting design for 
the smart sensors, the system will function correctly unless at least two of the three sensor 
hardware fail at the same time ((AaC) or (A a E) or (C a E) or (AaCa £)). We 
refer (AaC), (Ca£), and (C a E) as to double failure events, and (A a C a E ) as 
to triple failure events, and so on. 

3.2. Hazard and Risk Analysis 


(28) 

(29) 

(30) 


(31) 
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Although all failure events in the example of previous section, N, M, L, K, J, I, G, H, 
X, (AaC), (Aa£), (Ca£), and (AaCaE), will cause the system to fail to 
perform its function, and should be considered in hazard analysis, the risk of these events 
are different. For all single failure events, N, M, L, K, J, I, G, H, X, as we have assumed, 
their failure probabilities are 10 4 per year. But the failure probabilities for the double 

failure events are p(A a C) = p(A)p(C) = p(A a E) = p(C a E) = 1(T 8 per year; the 
failure probability of triple failure events p(A a C a E ) = 10 ~ 12 per year. Therefore, 
redundancy and voting design for smart sensor hardware failure reduces the risk 
significantly (10 4 vs 10‘ 8 ). That is the main reason that single failure events are most risk 
events and should be considered seriously. 


3.3. CCF and Diversity Consideration 

Another serious safety concern in nuclear industry is Common Cause Failure (CCF) 
scenario in safety system. In the example discussed in the previous section, if all three 
smart sensors use the same hardware and identical software, then a bug in the software 
can trigger a CCF event X. Based on the analysis in the previous section, this event will 
prevent the system from performing it function, which has the failure probability of 10 4 
per year. However, if the smart sensors use three different software packages to conduct 
the same function, the system can be modeled as three different failure events, B, D, and 
F. With this design diversity consideration, we can show that CCF will not be a concern 
in this scenario. Indeed, equation (27) in this scenario becomes 

SI a 52 

= (Av B) a(C v D) 

, x (33) 

= [(A v B) a C[v[(A vB)aD] 

= (a A c)v (c a b)v (a a D)v (b a D) 

Similarly, we can obtain 

51a53 = (Aa£)v(AaF)v(£a£)v(£a f) (34) 

S2 a S3 = (C a E)v (C a E)v (E aD)v (D aE) (35) 

S1aS2aS3 = (AaCaE)v(AaCaE)v(AaEaD)v(AaDaE) 

(b a C a E)v (b a C a F)v (B a E a D)v (B a D a F) 

(36) 

Note that we omitted some higher order terms in (36) which have very little impact in risk 
analysis if any. The complete failure logic in this scenario becomes 

S = NvM vLvKvJvIvGvH v (A a C)v(C a E)v (A a E) 

v(AaD)v(AaE)v(CaB)v(CaE)v(EaB)v(EaD) 

v (B a D) v (B a F) v (D a F) 

V (a A C A E)v (a A C A E)v (a A E A D)v (a A D A E) 
v (b a C a E)v (b a C a F)v (b a E a D)v (B a D a F) 

(37) 

Therefore, the smart sensor software failure is no longer a single failure event in this 
scenario. Although, there are a few more double and triple failure events, these double 
and triple failure probabilities are much lower than the single failure probabilities in the 
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CCF failure event. This shows how much the diversity design consideration reduces the 
risk of the smart sensor failure (10 2 3 4 5 vs 1 0 x ). 

3.4. Commercial Grade Dedication and Critical Characteristics 

In nuclear industry, all components and systems used in safety system should be 
designed and manufactured by following the process described in Code of Federal 
Regulations, 10 CFR Appendix B (IEEE standard 603 2009), which has very strict 
requirements on design and manufacture documentations. However, these requirements 
are very difficult to be satisfied for components and systems available in today’s market 
where components and systems are not designed and manufactured following the process 
of Appendix B. An alternative process with less documentation requirements, called 
commercial grade dedication, is therefore introduced in (Part 21, IEEE standard 603 
2009). For a commercial grade item (meaning a structure, system, or component, or part 
thereof that affects its safety function, that was not designed and manufactured under a 
quality assurance program complying with appendix B to part 50 IEEE standard 603 
2009), an important concept in this process is critical characteristics (Part 21, IEEE 
standard 603 2009] which is defined as: “critical characteristics are those important 
design, material, and performance characteristics of a commercial grade item that, once 
verified, will provide reasonable assurance that the item will perform its intended safety 
function.” Therefore, we may consider all single failure events as part of critical 
characteristics. If the probability of these failure events is verified to be small enough, it 
will provide reasonable assurance that the commercial grade item will perform its 
intended safety function because the failure probabilities for higher order failure events 
are much small and therefore can be ignored. This idea is similar to the EPRFs proposed 
method of using failure modes and effects analysis method to determine the critical 
characteristics [Section 1.5.3, Code of Federal Regulations 2014], but we provides an 
easy to implement and mathematically rigorous method rather than a general method. 

4. Conclusions 

In this paper, we proposed a method to use Boolean algebra to simplify the fault 
tree model to obtain all failure modes of a structure or a system or a component. The 
result obtained from this method provides a clear description of all failure modes of 
the structure, or the system or the component. It is easy to see that single failure 
events are the most risk events and need to have special consideration in the safety 
analysis. This method can be applied to several problems related to the safety and 
risk analysis, such as, probabilistic risk analysis, hazard and risk analysis, CCF 
analysis, and commercial grade dedication in nuclear industry. 
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